1/* SPDX-License-Identifier: GPL-2.0 */
2#ifndef _LINUX_USER_NAMESPACE_H
3#define _LINUX_USER_NAMESPACE_H
4
5#include <linux/kref.h>
6#include <linux/nsproxy.h>
7#include <linux/ns_common.h>
8#include <linux/sched.h>
9#include <linux/workqueue.h>
10#include <linux/rwsem.h>
11#include <linux/sysctl.h>
12#include <linux/err.h>
13
14#define UID_GID_MAP_MAX_BASE_EXTENTS 5
15#define UID_GID_MAP_MAX_EXTENTS 340
16
17struct uid_gid_extent {
18 u32 first;
19 u32 lower_first;
20 u32 count;
21};
22
23struct uid_gid_map { /* 64 bytes -- 1 cache line */
24 u32 nr_extents;
25 union {
26 struct uid_gid_extent extent[UID_GID_MAP_MAX_BASE_EXTENTS];
27 struct {
28 struct uid_gid_extent *forward;
29 struct uid_gid_extent *reverse;
30 };
31 };
32};
33
34#define USERNS_SETGROUPS_ALLOWED 1UL
35
36#define USERNS_INIT_FLAGS USERNS_SETGROUPS_ALLOWED
37
38struct ucounts;
39
40enum ucount_type {
41 UCOUNT_USER_NAMESPACES,
42 UCOUNT_PID_NAMESPACES,
43 UCOUNT_UTS_NAMESPACES,
44 UCOUNT_IPC_NAMESPACES,
45 UCOUNT_NET_NAMESPACES,
46 UCOUNT_MNT_NAMESPACES,
47 UCOUNT_CGROUP_NAMESPACES,
48 UCOUNT_TIME_NAMESPACES,
49#ifdef CONFIG_INOTIFY_USER
50 UCOUNT_INOTIFY_INSTANCES,
51 UCOUNT_INOTIFY_WATCHES,
52#endif
53#ifdef CONFIG_FANOTIFY
54 UCOUNT_FANOTIFY_GROUPS,
55 UCOUNT_FANOTIFY_MARKS,
56#endif
57 UCOUNT_RLIMIT_NPROC,
58 UCOUNT_RLIMIT_MSGQUEUE,
59 UCOUNT_RLIMIT_SIGPENDING,
60 UCOUNT_RLIMIT_MEMLOCK,
61 UCOUNT_COUNTS,
62};
63
64#define MAX_PER_NAMESPACE_UCOUNTS UCOUNT_RLIMIT_NPROC
65
66struct user_namespace {
67 struct uid_gid_map uid_map;
68 struct uid_gid_map gid_map;
69 struct uid_gid_map projid_map;
70 struct user_namespace *parent;
71 int level;
72 kuid_t owner;
73 kgid_t group;
74 struct ns_common ns;
75 unsigned long flags;
76 /* parent_could_setfcap: true if the creator if this ns had CAP_SETFCAP
77 * in its effective capability set at the child ns creation time. */
78 bool parent_could_setfcap;
79
80#ifdef CONFIG_KEYS
81 /* List of joinable keyrings in this namespace. Modification access of
82 * these pointers is controlled by keyring_sem. Once
83 * user_keyring_register is set, it won't be changed, so it can be
84 * accessed directly with READ_ONCE().
85 */
86 struct list_head keyring_name_list;
87 struct key *user_keyring_register;
88 struct rw_semaphore keyring_sem;
89#endif
90
91 /* Register of per-UID persistent keyrings for this namespace */
92#ifdef CONFIG_PERSISTENT_KEYRINGS
93 struct key *persistent_keyring_register;
94#endif
95 struct work_struct work;
96#ifdef CONFIG_SYSCTL
97 struct ctl_table_set set;
98 struct ctl_table_header *sysctls;
99#endif
100 struct ucounts *ucounts;
101 long ucount_max[UCOUNT_COUNTS];
102} __randomize_layout;
103
104struct ucounts {
105 struct hlist_node node;
106 struct user_namespace *ns;
107 kuid_t uid;
108 atomic_t count;
109 atomic_long_t ucount[UCOUNT_COUNTS];
110};
111
112extern struct user_namespace init_user_ns;
113extern struct ucounts init_ucounts;
114
115bool setup_userns_sysctls(struct user_namespace *ns);
116void retire_userns_sysctls(struct user_namespace *ns);
117struct ucounts *inc_ucount(struct user_namespace *ns, kuid_t uid, enum ucount_type type);
118void dec_ucount(struct ucounts *ucounts, enum ucount_type type);
119struct ucounts *alloc_ucounts(struct user_namespace *ns, kuid_t uid);
120struct ucounts * __must_check get_ucounts(struct ucounts *ucounts);
121void put_ucounts(struct ucounts *ucounts);
122
123static inline long get_ucounts_value(struct ucounts *ucounts, enum ucount_type type)
124{
125 return atomic_long_read(&ucounts->ucount[type]);
126}
127
128long inc_rlimit_ucounts(struct ucounts *ucounts, enum ucount_type type, long v);
129bool dec_rlimit_ucounts(struct ucounts *ucounts, enum ucount_type type, long v);
130long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum ucount_type type);
131void dec_rlimit_put_ucounts(struct ucounts *ucounts, enum ucount_type type);
132bool is_ucounts_overlimit(struct ucounts *ucounts, enum ucount_type type, unsigned long max);
133
134static inline void set_rlimit_ucount_max(struct user_namespace *ns,
135 enum ucount_type type, unsigned long max)
136{
137 ns->ucount_max[type] = max <= LONG_MAX ? max : LONG_MAX;
138}
139
140#ifdef CONFIG_USER_NS
141
142static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
143{
144 if (ns)
145 refcount_inc(&ns->ns.count);
146 return ns;
147}
148
149extern int create_user_ns(struct cred *new);
150extern int unshare_userns(unsigned long unshare_flags, struct cred **new_cred);
151extern void __put_user_ns(struct user_namespace *ns);
152
153static inline void put_user_ns(struct user_namespace *ns)
154{
155 if (ns && refcount_dec_and_test(&ns->ns.count))
156 __put_user_ns(ns);
157}
158
159struct seq_operations;
160extern const struct seq_operations proc_uid_seq_operations;
161extern const struct seq_operations proc_gid_seq_operations;
162extern const struct seq_operations proc_projid_seq_operations;
163extern ssize_t proc_uid_map_write(struct file *, const char __user *, size_t, loff_t *);
164extern ssize_t proc_gid_map_write(struct file *, const char __user *, size_t, loff_t *);
165extern ssize_t proc_projid_map_write(struct file *, const char __user *, size_t, loff_t *);
166extern ssize_t proc_setgroups_write(struct file *, const char __user *, size_t, loff_t *);
167extern int proc_setgroups_show(struct seq_file *m, void *v);
168extern bool userns_may_setgroups(const struct user_namespace *ns);
169extern bool in_userns(const struct user_namespace *ancestor,
170 const struct user_namespace *child);
171extern bool current_in_userns(const struct user_namespace *target_ns);
172struct ns_common *ns_get_owner(struct ns_common *ns);
173#else
174
175static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
176{
177 return &init_user_ns;
178}
179
180static inline int create_user_ns(struct cred *new)
181{
182 return -EINVAL;
183}
184
185static inline int unshare_userns(unsigned long unshare_flags,
186 struct cred **new_cred)
187{
188 if (unshare_flags & CLONE_NEWUSER)
189 return -EINVAL;
190 return 0;
191}
192
193static inline void put_user_ns(struct user_namespace *ns)
194{
195}
196
197static inline bool userns_may_setgroups(const struct user_namespace *ns)
198{
199 return true;
200}
201
202static inline bool in_userns(const struct user_namespace *ancestor,
203 const struct user_namespace *child)
204{
205 return true;
206}
207
208static inline bool current_in_userns(const struct user_namespace *target_ns)
209{
210 return true;
211}
212
213static inline struct ns_common *ns_get_owner(struct ns_common *ns)
214{
215 return ERR_PTR(-EPERM);
216}
217#endif
218
219#endif /* _LINUX_USER_H */
220

source code of linux/include/linux/user_namespace.h